I have TrojanDownloader:Win32/Renos.MQ on my

Microsoft Windows xp professional w/serv...
July 27, 2010 at 20:50:41
Specs: Windows XP Professional SP3, P(R)/2000megs
I have the virus TrojanDownloader:Win32/Renos.MQ on my computer. It was found by Microsoft Security Essentials, which removed it but it keeps returning on restart. I've also run Malwarebytes Anti-Malware. I've run both these programs in safe mode and all appeared fixed. I restarted in safe mode and it worked fine. I restarted in regular mode and the virus came back. What can I try next?

Here is my last MWAM report.

Malwarebytes' Anti-Malware 1.46

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

7/27/2010 6:10:19 PM
mbam-log-2010-07-27 (18-10-19).txt

Scan type: Full scan (C:\|)
Objects scanned: 281426
Time elapsed: 1 hour(s), 26 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{91efb214-b33b-4aef-82fc-41e8964bcc52}\NameServer (Trojan.DNSChanger) -> Data:, -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Cinemaware Marquee\Port Royale 2\dsetup.dll (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> No action taken.

See More: I have TrojanDownloader:Win32/Renos.MQ on my

Report •

July 27, 2010 at 21:32:38
Hi, please scan with Rkill found here: http://download.bleepingcomputer.co... and after it finishes Do NOT reboot as this will cause the malware to reappear, after that has stopped scanning please try either scanning with Hitman Pro: http://download.cnet.com/Hitman-Pro...

Or Trojan Remover: http://www.simplysup.com/tremover/d...

Helpful tips before getting started: http://www.computing.net/howtos/sho...

Report •

July 27, 2010 at 23:59:09
I ran Rkill, did not reboot and then ran Hitman Pro. It found like 19 threats and took care of them. For good measure I ran the trojan remover directly after that. It found nothing. I then restarted. On restart, MSE found the same trojan downloader. It's hiding somewhere deeper apparently.

Any other suggestions? Thanks for the help. Appreciate it greatly.

Report •

July 28, 2010 at 22:59:57

I ran all the scans again that you, xryanx, told me too. This time it seems to have gotten rid of the TrojanDownloader:Win32/Renos.MQ virus that I had because none of my scans on any of my programs have picked it up. However, MSE is now finding Trojan:Win32/Alureon.CO every hour or two. Again it says it removes it but then it just comes back. None of the other programs, MBAM, Hitman Pro, or the trojan remover have found the Alureon virus, only MSE. Any suggestions on how to remove that one?

Report •

Related Solutions

July 29, 2010 at 10:13:33
Alureon is actually a rookit. Please delete that instance of Rkill, and redownload it from here: http://download.bleepingcomputer.co... , and again as before Do Not reboot, then, please download and run TDSS Killer from here: http://support.kaspersky.com/downlo...

Let me know if that solves your problem.

Helpful tips before getting started: http://www.computing.net/howtos/sho...

Report •

July 29, 2010 at 13:01:30
I performed both of your suggestions. TDSSKiller found one "Suspicious object" but it suggested I skip it instead of quarantine or delete it. However, MSE hasn't found any trace of the Alureon virus since last night. I ran a full scan again this morning and it came up empty. So maybe MSE took care of it already. I will continue to look for any traces of either one of the virus's however. Thank you so much for your help xryanx.

One question, is there any possibility that all of my different virus scanners and everything else I've downloaded could be interfering with each other? I've downloaded at least 6 different security programs over the last couple days including the ones that you suggested.

Report •

July 29, 2010 at 15:40:30
Well, when one application doesn't find something, another one usually will. It usually has to do with each virus/database each program has I suppose (don't quote me on this). A good example is say Norton finds a virus, but cannot remove it, however Avast or Kaspersky can. All depends on the program/updates and what it can remove. The reason Allureon was very hard to detect, is because it's a Rootkit, which in simple terms is a program that hides itself so it can't be easily detected by normal AV programs or etc.

Helpful tips before getting started: http://www.computing.net/howtos/sho...

Report •

August 2, 2010 at 11:03:30
Trojan Renos is a downloader trojan that brings malicious programs onto infected computer, such as rogue spyware fake program. to remove trojan renos, follow this

TechVTS - Virus removal techniques

Report •

August 9, 2010 at 14:03:19
I also have TrojanDownloader:Win32/Renos.MQ. I have tried your suggestion along with several others I've found on the net and NOTHING is working to remove it.
I did the rkill and Trojan remover. It says it removes it but when I start up again it's there EVERY TIME!

Report •

August 10, 2010 at 06:50:38
OMG! I think it's finally FIXED!!!! Keep your fingers crossed!

Report •

August 10, 2010 at 08:14:39
I had both of these. Renos.mq infects other files. I had to restore from backup to fix it.

Report •

August 18, 2010 at 13:03:43
So almost three weeks after finding the last hint of either virus Renos has popped up again. It's gotta be the same one because i've barely used the comp since the first virus outbreak. I tried your suggestion old.boy71 and the program didn't find anything. Any other suggestions?

Report •

Ask Question